On 22 May 2013, the UK Government published a call for evidence as part of its consultation on the European Commission’s proposed Directive for Network and Information Security (the “NIS Directive”). If enacted in its proposed form, the NIS Directive would oblige all European Union (“EU”) Member States to produce a national cybersecurity strategy, establish a national CERT (Computer Emergency Response Team) and cybersecurity authority, share information between Member States and implement mandatory reporting of significant security breaches in some industry sectors.

The NIS Directive will primarily affect public administrative bodies, and the following types of organisation:

  • Providers of services relating to:
    • E-commerce platforms;
    • Internet payment gateways;
    • Social networks;
    • Search Engines;
    • Cloud computing; and
    • App stores.
  • Operators of critical infrastructure, including those involved in:
    • Energy;
    • Transport;
    • Banking;
    • Financial markets; and
    • Healthcare.
  • Regulators of the above.

Micro enterprises (organisations employing fewer than 10 people and with an annual turnover of less than €2million) will be excluded from the NIS Directive.

Call for evidence

The UK Government wishes to understand how the NIS Directive will affect UK organisations, in particular what the effects, costs and benefits of mandatory reporting would be. Consequently the Government has requested that organisations likely to be affected by the proposed NIS Directive submit evidence on the issue.

Evidence can be contributed online, by email or by post until Friday 21 June 2013, and further information on how to do this is contained within the call for evidence.